Reading this article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units
Mike Hughes

What’s the need?

As organisations progress into the 21st century and conduct business and operate in the digital and cyber age, Internal Audit skills, knowledge and techniques need to evolve. We can’t audit 21st century systems with 20th century audit practices.

In today’s business environment, all organisations, no matter how large, or small, are reliant on technology to a certain extent. Indeed, many new start-ups are totally reliant on technology to deliver their service. Uber, Airbnb, and Amazon are just a few names which spring to mind, where their whole business model is reliant on technology. Without their technology platforms, they have no business! 

Therefore, in our ever increasing, always connected cyber age, organisations have a major exposure to the risk of a cyber-attack. 

When I started my IT career in the late 1970’s, we only needed to have good access controls to the Computer Room door, as users weren’t even connected in the office, before we even consider joining office to office!

We now live in a world of an anytime, anywhere connections and are therefore susceptible to cyber risks. 

Select image to enlarge (opens in a new tab)

Effective technology/cyber governance and management control is a combination of: People, Process and Technology. Internal audit provides an essential role to provide assurance that the organisation is managing their cyber risks effectively and efficiently, to minimise the organisations risk exposure, by operating effective controls consistently covering People, Process and Technology.

We also need to recognise that it is not a case of if, but when, there is a major cyber security breach. Organisations need to recognise that it is when and not if. So, we need to design and to operate adequate and appropriate controls to reduce the likelihood of suffering an adverse risk event, but also prepare to be able to respond quickly and effectively to minimise the business impact, in the event of a major security incident/breach.

Obtaining adequate Assurance

Internal Audit therefore needs the knowledge, skills, tools and techniques to be able to examine each element of People, Process and Technology to provide assurance that the organisation is:

  • Doing the right things
  • Doing them the right way
  • Doing them well and
  • Delivering Business Value.

To effectively protect our organisation, we need to fully understand the organisation’s business risk of its use of technology and select the most appropriate risk response and mitigation to effectively manage the identified risks.

However, risks are only effectively managed if the controls are operating correctly. This is where Internal Audit comes in, providing assurance that risks are being appropriately and effectively managed, identifying control deficiencies and areas of continuous controls improvement.

Therefore, we need to equip Internal Audit with the skills, knowledge, tools and techniques to be able to effectively audit this rapidly changing environment. I will cover the skills and knowledge in this article and will cover tools and techniques in a future article.

Effective controls are a combination of:

  • People
  • Process and
  • Technology.

So let’s have a look at each element in turn, but I will look at them in reverse order. 

Technology

Many organisations believe that if they focus on the Technology element, then they are effectively managing their risk. They invest relatively large amounts on acquiring, implementing, and operating technology/cyber security solutions, such as a SOC (Security Operation Centres) and a SIEM (Security Information Event Management System). 

These are relatively big-ticket items to acquire. They then spend even more money on consultants to configure such solutions, but do they ever conduct any assurance work, to provide confidence that the technology is doing what they think it should be doing? In my experience, the answer is no. So undue reliance is being placed on these technologies. 

It is essential to undertake assurance work on implementation and periodically repeat it to ensure that the controls continue to be operated effectively. As we change configuration settings, there may be an issue that is being investigated, so we switch something off, to see if that solves the issue, but we don’t always remember to switch that configuration setting back on!

Process

Our formal documented processes should set out the:

  • What
  • How
  • When .

Process is made up of 4 elements:

  • Standards
  • Policies
  • Procedures
  • Guidelines.

A Standard provides the rules to be applied consistently across the organisation. Standards can be external standards, such as ISO 27001, the international standard for information security management, or they can be internal standards, defined by the organisation, such as minimum Server, Laptop, Desk builds, to provide a baseline.

A Policy sets out the golden rules, such as: all users will have a unique User- ID and this ID will be protected by 2 Factor Authentication (“2FA”).

Policies should only be 2 pages and if written correctly should not have to be changed very often but should be reviewed and evidenced as having been reviewed, at least annually. 

Procedures will be more detailed and set out how Policies are to be implemented, e.g., how a new user account is set up and what method of 2FA will be used. So Procedures will change more frequently, such as when the 2FA method is changed, but the Policy won’t need to change, because that only says a method of 2FA will be used to protect users accounts.

Guidelines then provides guidance of how to operate the procedure, if additional guidance is required.

The trick is not to have too many policies, and not to mix policy and procedure in the same document, as they become too unwieldy and misunderstandings arise resulting in failing to adhere to policy.

People

Of the three elements of People, Process & technology, People is the most important. You can have the best designed process and the latest technology, but if your People don’t follow the Process as they should, or don’t use Technology in the right way, then the control will not operate correctly, and the risk will not be effectively managed.

So the training of our People is the most critical and it is not training, it is education.

There is a saying in the industry - People are our weakest links. Well we need to do much better at educating our People to be our strongest links. 

Education is not just saying what needs to be done and it should be done, it is also the why. Why this needs to be done and in this way. If our People understand the why, they are more likely to do what we want them to do.

Select image to enlarge (opens in a new tab)

We also need to consider the controls operated by our third-party suppliers. Therefore we need to first understand our full supply chain and the nature of the service they provide us and how this may affect our risk profile. Remember, we can outsource the responsibility for doing something, we can’t outsource the accountability. So, we need to obtain appropriate assurance that they are operating appropriate, adequate, and consistent controls. This can be achieved either by audit work undertaken ourselves by an audit right of access in the contract, or through an independent attestation, such as a SOC 2 report. 

Where can we find help?

The UK Government recognised the importance of cyber security skills and on the 15th December 2021 it launched their latest version of the National Cyber Strategy

The Strategy sets out how the UK will remain confident, capable and resilient in this fast-moving digital world; and how the UK will continue to adapt, innovate and invest in order to protect and promote its interests in cyberspace.

This strategy builds on, and takes forward, the good work started by its predecessor, the National Cyber Security Strategy 2016-2021.

The UK Government is backing up the ambitions they have articulated in the Strategy, by committing £22 billion on research and development, and to put technology at the heart of our plans for national security.

The Strategy sets out 5 pillars, Pillar one focuses on skills and building the required workforce.

Pillar 1: Strengthening the UK cyber ecosystem, investing in our people and skills and deepening the partnership between government, academia and industry

To help deliver the skills agenda, the Government commissioned the Cyber Security Alliance, a collaboration of the 19 Cyber Security Related professional bodies including ISACA, ISC2, CIISec, BCS, IET, WCIT, CREST, IAP, TechUK, IAAC and CompTIA to establish the UK Cyber Security Council.

In March 2021 the UK Cyber Security Council was born. The UK Cyber Security Council has been established as the self-regulatory body for the UK's cyber security profession. It develops, promotes and stewards nationally recognised standards for cyber security in support of the UK Government’s National Cyber Security Strategy to make the UK the safest place to live and work online.

A very important objective is helping to develop cyber skills and to this end, the Council has developed a cyber security careers framework and defined 16 specialisms, One being Cyber Security Audit & Assurance.

The framework provides more information about each of the 16 specialisms:

Select image to enlarge (opens in a new tab)

ISACA was engaged by the Council to define the standard for Cyber Security Audit & Assurance and I was privileged to be a member of the working group.

You can watch this video of an interview with the Council’s Programme Manager - Standards Development, Leanne Sperry and myself, talking about the Council’s Cyber Security Audit & Assurance standard.

The Council has also developed a Certification Framework Tool which details the training, certifications etc., relevant to each of the 16 Specialisms.

Leadership from the top

Effective management of the Cyber Risk has to come from the top - Senior Execs need to lead by example. One of the roles of Internal Audit is advising Senior Execs, so an important skill is communicating in language that they understand.

ACCA conducted a survey of Chief Finance Officers - Cyber and the CFO - and some of the key results weren’t that surprising. We need to do more to educate the Senior Exec team, so they fully understand the Cyber Risk and how this materialises into Business Risk.

The NCSC suggest that “Good cybersecurity has to work for you; it has to be appropriate to your systems, your processes, your staff, your culture and, critically, has to be appropriate for the level of risk you are willing to accept” 

Managing an organisation’s Cyber Risk is complex and it is not just the responsibility of the CFO, it’s the responsibility of the all the C-suite of an organisation. The C-suite have to get to grips with the reality that just as they start their workday, thousands of organised crime firms wake up with the only KPI – breaking into your enterprise network.

The use of technology is a major enabler to business success; many organisations simply could not operate without its technology. Therefore, appropriate and effective technology/cyber governance is essential to help gain competitive advantage and ensure a resilient business.

Managing your technology/cyber risk and ensuring resilience of your business is extremely complex, but if you do nothing else, then ask these eight key questions to ensure you are at least doing the fundamentals:

  1. Do we have the basic hygiene factors in place? Secure configuration, including Patch Management and Malware Protection. Ensure your networked devices are configured appropriately, including no default settings. All networked devices are patched and no more than 1 month out of date. If they are on a network, they are a potential access point that can be exploited. 
  2. Do we have appropriate and effective access controls? Implement 2 Factor Authentication, especially on Privileged Accounts and on Remote Access Users.
  3. Do we fully understand our business related technology and cyber risks? Fully understand your business risk of using technology and cyber-enabled solutions, and ensure that controls are working effectively to manage these risks.
  4. Are we effectively managing our full supply chain? Understand the risk of your complete supply chain, the risk of your third parties, and their third parties, from the perspective of the value and sensitivity of the information they handle on your behalf, and also how the supplier impacts on your organisation delivering services to your customers.
  5. Have we the appropriate security culture? Leadership, encouraging a technology and cyber security aware culture, including providing an ongoing awareness and education programme. The C-suite and senior management team not only saying the right things, but also backing their words, with their actions.
  6. Can we respond to incidents quickly and effectively? Establishing an appropriate and responsive Incident Management Capability. Recognise that breaches will happen, be prepared to Respond and Recover. Breaches will happen, you will be judged by your shareholders, regulators, customers and business partners on how well and quickly you are able to Respond and Recover.
  7. How do we know we are effective? Performance monitoring, defining appropriate, meaningful and easily obtainable KPIs (Key Performance Indicators) and KRIs (Key Risk Indicators). Providing an easy-to-understand Dashboard to the C-Suite.
  8. Do we have the rights skills, in the right numbers, in the right places? Ensure that the organisation has the right cyber security skills in the right numbers; in the right places and that their training is kept up to date.

ISACA has produced a briefing paper for the C-Suite called Building Business Resilience.

How do we develop the required skills?

So, where can we go to help develop the required skills? There are a number of sources, including ACCA and ISACA of course, along with a number of other bodies. 

So let’s start with ACCA.

ACCA

ACCA has a series of free webinars on Demystifying IT Audit available on demand. 

ACCA also has a course on Managing the cyber threat for finance professionals

ISACA

ISACA is a global professional association and learning organization with 170,000 members who work in digital trust fields such as information security, governance, assurance, risk, privacy and quality. With a presence in 188 countries and with 225 chapters worldwide, ISACA is recognised around the world for its guidance, credentials, education, training and community. 

ISACA is committed to the advancement of digital trust by empowering professionals to grow their skills and knowledge in audit, cybersecurity, emerging tech and more. more than 50 years, ISACA continues to help individuals and enterprises worldwide advance their careers, transform their organizations, and build a more trusted and ethical digital world.

ISACA has a number of globally recognised recertifications and certificates, but the most relevant ones for this are are:

ISACA also provide access to a number of IT Audit resources to help support the undertaking of appropriate audit/assurance work, which have been developed by ISACA members, who are subject matter experts in each audit topic. These resources include a large number of Audit/Assurance Programmes cover a range of technology/cyber topics. 

You can follow ISACA Central UK Chapter on LinkedIn for updates.

Other

There are a number of other bodies providing webinars, podcasts, qualifications and useful resources. Here’s a selection:

  • UK Cyber Security Council provides help and support in career development and provides access to thought leadership.
  • NCSC (National Cyber Security Centre) The UK Government’s body, which is part of GCHQ, providing guidance and thought leadership to help organisations to protect themselves.
  • CISP NCSC’s Cyber Security Information Sharing Partnership
  • SASIG (Security Awareness Specialist Interest Group), provides access to at least three weekly webinars and a programme of in-person events across the UK.
  • Cyber Resilience Centres, a UK wide network 
  • DSIT (Department of Science, Innovation and Technology)
  • CyBOK The UK’s Cyber Security Body of Knowledge
  • NIST (National Institute of Standards & Technology)
  • NICE Framework Resource Centre: The NICE Framework establishes a common language that describes cybersecurity work and the knowledge and skills needed to complete that work. It is used in public and private sectors and across industries for career discovery, education and training, and in hiring and workforce development.
  • ENISA (The European Union Agency for Cybersecurity)
  • SFIA: The global skills and competency framework for the digital world

Wrap-up

The role of Internal Audit, in helping organisations to effectively manage the business risk of using technology, to help to support the delivery of the business goals and objectives, in the ever increasing digital and cyber world, is only going to continue to grow and evolve. 

New technologies will require a different mind-set. We saw this with the advent of Cloud a few years ago - many auditors first reaction is we can’t take our precious data off our secure severs, located in a safe a secure sever room that we control access to and put into the cloud. But Cloud is now accepted and is as safe, if not safer then on-premises servers. We have had to learn to adapt and develop new techniques to provide the appropriate and adequate controls. 

We then look at the current emerging technologies, such as Generative AI, Machine Learning, Robotic Process Automation (RPA), Block Chain, Quantum Computing (which will render encryption as we know it today, useless). Not to mention those future technologies that we don’t even know about, as of today. 

As auditors we need to be constantly developing our knowledge and skills and learning to adapt to the changing risk environments of our organisation and helping to effectively manage risk. 

I hope the information I’ve provided will help you to do just that. 

 

Mike Hughes, ChCSP, CISA, CISM, CGEIT, CRISC, CDPSE, MIoD

Mike is Past President and Director of relationships for ISACA Central UK and has been involved with ISACA for over 30 years at both the Local and International levels. Mike is the Past President and Director of Relationships for ISACA Central UK and Mike has also served on a number of ISACA’s Internal Boards and Committees, including a term on ISACA’s Internal Borad of Directors. 

As well as holding a number of ISACA’s certifications, including CISM, CRISC and CISA, Mike is also one of ISACA’s trainers for the exam preparation courses for these certifications. 

Mike’s many years of volunteering with ISACA was recognised in 2023, when he was inducted into ISACA’s Hall of Fame. 

Mike has over 40 years experience, including 10 years in mainstream IT, 20 years with KPMG in a number of senior roles and for the past 16 years as a Director with Prism RA, a technology and cyber governance, risk, compliance and security consultancy. Mike is also a non-executive director of Cyber Q Group, an award winning, innovative cyber security company and Mike is also a member of the Institute of Directors.